CVE-2026-8768 | vercel ai up to 3.0.97 provider-utils download-blob.ts validateDownloadUrl server-side request forgery

A vulnerability classified as critical was found in vercel ai up to 3.0.97. The affected element is the function validateDownloadUrl of the file packages/provider-utils/src/download-blob.ts of the component provider-utils. The manipulation results in server-side request forgery.

This vulnerability is reported as CVE-2026-8768. The attack can be launched remotely. Moreover, an exploit is present.

The vendor was contacted early about this disclosure but did not respond in any way.VulDB Recent EntriesRead More